guardvibe 0.6.3 → 0.7.0

package/build/data/rules/database.js

@@ -0,0 +1,100 @@
+// Security rules for Supabase, Prisma, and Drizzle ORM
+export const databaseRules = [
+    {
+        id: "VG430",
+        name: "Supabase Anon Key on Server",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Using the anon/public key server-side bypasses Row Level Security. Use the service_role key on the server.",
+        pattern: /createClient\s*\([\s\S]*?(?:NEXT_PUBLIC_SUPABASE_ANON_KEY|supabaseAnonKey)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use SUPABASE_SERVICE_ROLE_KEY on the server. The anon key is for client-side use with RLS.",
+        fixCode: '// Server-side: use service role key\nconst supabase = createClient(\n  process.env.SUPABASE_URL!,\n  process.env.SUPABASE_SERVICE_ROLE_KEY!\n);',
+        compliance: ["SOC2:CC6.6", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG431",
+        name: "Supabase Missing RLS Warning",
+        severity: "medium",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Supabase client queries data. Ensure Row Level Security policies are configured on your tables.",
+        pattern: /supabase\s*\.from\s*\(\s*["']\w+["']\s*\)\s*\.(?:select|insert|update|delete|upsert)\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Enable Row Level Security (RLS) on all Supabase tables and create appropriate policies.",
+        fixCode: "-- Enable RLS on tables\nALTER TABLE posts ENABLE ROW LEVEL SECURITY;\n\nCREATE POLICY \"Users can read own posts\"\n  ON posts FOR SELECT\n  USING (auth.uid() = user_id);",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG432",
+        name: "Prisma Raw Query Injection",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "Prisma $queryRaw or $executeRaw with template literal interpolation. Use Prisma.sql tagged template for safe parameterization.",
+        pattern: /\.\$(?:queryRaw|executeRaw)`[^`]*\$\{(?!Prisma\.)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use Prisma.sql tagged template for safe parameterization.",
+        fixCode: 'import { Prisma } from "@prisma/client";\n\nconst result = await prisma.$queryRaw(\n  Prisma.sql`SELECT * FROM users WHERE id = ${userId}`\n);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG433",
+        name: "Prisma queryRawUnsafe Usage",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "$queryRawUnsafe and $executeRawUnsafe pass raw SQL strings without parameterization. Extremely dangerous with user input.",
+        pattern: /\.\$(?:queryRawUnsafe|executeRawUnsafe)\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Replace with $queryRaw using Prisma.sql tagged template.",
+        fixCode: "const result = await prisma.$queryRaw(\n  Prisma.sql`SELECT * FROM users WHERE id = ${userId}`\n);",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG434",
+        name: "Drizzle Unsafe SQL Interpolation",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "Drizzle sql tagged template with direct variable interpolation. Use sql.placeholder() for safe parameterization.",
+        pattern: /(?:db\.execute|db\.run|db\.get|db\.all)\s*\(\s*sql`[^`]*\$\{/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use sql.placeholder() for dynamic values in Drizzle queries.",
+        fixCode: 'import { sql } from "drizzle-orm";\n\nconst result = await db.execute(\n  sql`SELECT * FROM users WHERE id = ${sql.placeholder("id")}`,\n  { id: userId }\n);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG435",
+        name: "Database URL Client Exposure",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "DATABASE_URL or DIRECT_URL is accessed in client-side code. This exposes your database connection string to the browser.",
+        pattern: /["']use client["'][\s\S]*?process\.env\.(?:DATABASE_URL|DIRECT_URL)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never access database URLs in client components. Use Server Components or API routes.",
+        fixCode: "// Access database only server-side (no 'use client')\nexport default async function Page() {\n  const data = await prisma.user.findMany();\n  return <UserList users={data} />;\n}",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG436",
+        name: "NEXT_PUBLIC Database URL",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Database URL is prefixed with NEXT_PUBLIC_, exposing it in the client bundle.",
+        pattern: /NEXT_PUBLIC_\w*(?:DATABASE|DB|POSTGRES|MYSQL|MONGO|REDIS|SUPABASE_DB)\w*URL\s*=/gi,
+        languages: ["javascript", "typescript", "shell"],
+        fix: "Remove NEXT_PUBLIC_ prefix. Database URLs must only be server-side.",
+        fixCode: "# WRONG: exposed to client\n# NEXT_PUBLIC_DATABASE_URL=postgresql://...\n\n# CORRECT: server-side only\nDATABASE_URL=postgresql://...",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG437",
+        name: "Supabase Service Role Key in Client",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "SUPABASE_SERVICE_ROLE_KEY is accessed in client-side code. This key bypasses RLS and grants full database access.",
+        pattern: /["']use client["'][\s\S]*?(?:SUPABASE_SERVICE_ROLE_KEY|SERVICE_ROLE)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never use the service role key in client code.",
+        fixCode: '// Server-side only\n"use server";\nconst adminClient = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!);',
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+];
+//# sourceMappingURL=database.js.map

package/build/data/rules/database.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iGAAiG;QACnG,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EACL,6KAA6K;QAC/K,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,gJAAgJ;QAClJ,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2HAA2H;QAC7H,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oGAAoG;QACtG,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,+DAA+D;QACxE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,sEAAsE;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,qLAAqL;QACvL,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+EAA+E;QACjF,OAAO,EACL,mFAAmF;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,uIAAuI;QACzI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,uEAAuE;QAChF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,oHAAoH;QACtH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}

package/build/data/rules/deployment.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const deploymentRules: SecurityRule[];
+//# sourceMappingURL=deployment.d.ts.map

package/build/data/rules/deployment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,EA+NzC,CAAC"}

package/build/data/rules/deployment.js

@@ -0,0 +1,192 @@
+// Security rules for deployment config files
+export const deploymentRules = [
+    // vercel.json / vercel.ts
+    {
+        id: "VG500",
+        name: "Vercel CORS Wildcard",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Vercel config sets Access-Control-Allow-Origin to wildcard (*), allowing any website to make requests.",
+        pattern: /["']Access-Control-Allow-Origin["'][\s\S]*?["']\*["']/g,
+        languages: ["vercel-config", "json"],
+        fix: "Restrict CORS to specific trusted origins.",
+        fixCode: '// vercel.json\n{\n  "headers": [{\n    "source": "/api/(.*)",\n    "headers": [{ "key": "Access-Control-Allow-Origin", "value": "https://yourdomain.com" }]\n  }]\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG501",
+        name: "Vercel Internal Rewrite Exposure",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Vercel rewrites expose internal service URLs to the public internet.",
+        pattern: /["']rewrites["']\s*:\s*\[[\s\S]*?["']destination["']\s*:\s*["']https?:\/\/(?:localhost|127\.0\.0\.1|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)/g,
+        languages: ["vercel-config", "json"],
+        fix: "Do not rewrite to internal network addresses. Use Vercel environment variables for service URLs.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG503",
+        name: "Vercel Cron Missing Secret Verification",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Cron jobs are configured but the endpoint may not verify CRON_SECRET. Anyone could trigger the cron endpoint manually.",
+        pattern: /["']crons["']\s*:\s*\[[\s\S]*?["']path["']\s*:\s*["'][^"']+["']/g,
+        languages: ["vercel-config", "json"],
+        fix: "Verify the CRON_SECRET header in your cron endpoint.",
+        fixCode: '// app/api/cron/route.ts\nexport async function GET(request: Request) {\n  const authHeader = request.headers.get("authorization");\n  if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {\n    return new Response("Unauthorized", { status: 401 });\n  }\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG504",
+        name: "Excessive Function Duration",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Function maxDuration is set very high. Long-running functions increase costs and attack surface.",
+        pattern: /["']maxDuration["']\s*:\s*(?:[3-9]\d{2}|[1-9]\d{3,})/g,
+        languages: ["vercel-config", "json"],
+        fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
+    },
+    {
+        id: "VG506",
+        name: "Hardcoded Secret in Vercel Config",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret or API key hardcoded in vercel.json. This file is committed to git.",
+        pattern: /["'](?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
+        languages: ["vercel-config", "json"],
+        fix: "Use Vercel environment variables (vercel env add) instead of hardcoding in config files.",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    // next.config
+    {
+        id: "VG507",
+        name: "Wildcard Remote Image Pattern",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "next.config allows images from any hostname. This enables SSRF and hotlinking attacks.",
+        pattern: /remotePatterns\s*:\s*\[[\s\S]*?hostname\s*:\s*["'](?:\*\*|\*)["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Restrict remotePatterns to specific trusted hostnames.",
+        fixCode: '// next.config.ts\nimages: {\n  remotePatterns: [\n    { protocol: "https", hostname: "images.example.com" },\n  ]\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG509",
+        name: "Powered By Header Enabled",
+        severity: "low",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "X-Powered-By header reveals Next.js framework. This helps attackers target known vulnerabilities.",
+        pattern: /poweredByHeader\s*:\s*true/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Set poweredByHeader to false in next.config.ts.",
+        fixCode: "// next.config.ts\nconst config = {\n  poweredByHeader: false,\n};",
+    },
+    {
+        id: "VG510",
+        name: "Next Config CORS Wildcard",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Next.js config headers() sets Access-Control-Allow-Origin to wildcard (*).",
+        pattern: /headers\s*\(\s*\)\s*\{[\s\S]*?Access-Control-Allow-Origin[\s\S]*?["']\*["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Restrict CORS to specific trusted origins.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG512",
+        name: "Source Maps in Production",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Source maps enabled in production expose original source code to attackers.",
+        pattern: /devtool\s*:\s*["'](?:source-map|eval-source-map|cheap-source-map)["']/g,
+        languages: ["nextjs-config", "javascript", "typescript"],
+        fix: "Disable source maps in production.",
+        fixCode: "// next.config.ts\nconst config = {\n  productionBrowserSourceMaps: false,\n};",
+        compliance: ["SOC2:CC6.1"],
+    },
+    // docker-compose.yml
+    {
+        id: "VG513",
+        name: "Docker Compose Public Port Binding",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Port bound to 0.0.0.0 exposes the service to all network interfaces.",
+        pattern: /ports\s*:\s*\n\s*-\s*["']?0\.0\.0\.0:/gm,
+        languages: ["docker-compose", "yaml"],
+        fix: "Bind to 127.0.0.1 for local-only access.",
+        fixCode: '# Bind to localhost only\nports:\n  - "127.0.0.1:3000:3000"',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG514",
+        name: "Docker Compose Hardcoded Secret",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret hardcoded in docker-compose environment section. Use Docker secrets or .env file.",
+        pattern: /environment\s*:\s*\n(?:\s*-\s*|\s*\w+\s*:\s*)[\s\S]*?(?:SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL)\w*\s*[=:]\s*\S{8,}/gi,
+        languages: ["docker-compose", "yaml"],
+        fix: "Use Docker secrets or reference a .env file instead of hardcoding.",
+        fixCode: "# Use .env file\nservices:\n  app:\n    env_file:\n      - .env",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    {
+        id: "VG515",
+        name: "Docker Compose Privileged Container",
+        severity: "critical",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Container runs in privileged mode with full host access. This is a severe security risk.",
+        pattern: /privileged\s*:\s*true/g,
+        languages: ["docker-compose", "yaml"],
+        fix: "Remove privileged: true. Use specific capabilities (cap_add) if needed.",
+        fixCode: "# Instead of privileged: true, use specific capabilities\nservices:\n  app:\n    cap_add:\n      - NET_ADMIN",
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG516",
+        name: "Docker Compose Host Volume Mount",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Mounting the entire host filesystem gives the container excessive access.",
+        pattern: /volumes\s*:\s*\n\s*-\s*["']?(?:\/:|\/etc|\/var|\/root|\/home)\s*:/gm,
+        languages: ["docker-compose", "yaml"],
+        fix: "Mount only specific directories needed by the application.",
+        fixCode: "# Mount only what's needed\nvolumes:\n  - ./data:/app/data",
+        compliance: ["SOC2:CC6.1"],
+    },
+    // fly.toml / render.yaml / netlify.toml
+    {
+        id: "VG517",
+        name: "Platform Config Hardcoded Secret",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Secret hardcoded in deployment platform config file. These files are committed to git.",
+        pattern: /\[env\][\s\S]*?(?:SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL)\w*\s*=\s*["']?[A-Za-z0-9_\-]{12,}/gi,
+        languages: ["fly-config", "render-config", "netlify-config", "toml"],
+        fix: "Use your platform's secret management (fly secrets set, Render env groups, Netlify env vars).",
+        fixCode: '# fly.toml — don\'t put secrets here\n# Instead: fly secrets set SECRET_KEY=value\n\n[env]\n  LOG_LEVEL = "info"',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
+    },
+    {
+        id: "VG518",
+        name: "Platform Internal Port Exposed",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Internal service port (database, cache) is exposed publicly.",
+        pattern: /internal_port\s*=\s*(?:5432|3306|6379|27017|9200|2379)/g,
+        languages: ["fly-config", "toml"],
+        fix: "Don't expose database or cache ports publicly. Use internal networking.",
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG520",
+        name: "Missing HTTPS Redirect",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "No HTTP to HTTPS redirect configured. Traffic may be sent unencrypted.",
+        pattern: /force_https\s*=\s*false/g,
+        languages: ["fly-config", "toml"],
+        fix: "Enable force_https to redirect all HTTP traffic to HTTPS.",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
+    },
+];
+//# sourceMappingURL=deployment.js.map

package/build/data/rules/deployment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;KAC/F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,yFAAyF;QAC3F,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,0FAA0F;QAC/F,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,cAAc;IACd;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,uHAAuH;QACzH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,mGAAmG;QACrG,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,iDAAiD;QACtD,OAAO,EAAE,oEAAoE;KAC9E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,8EAA8E;QAChF,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,4CAA4C;QACjD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EACL,wEAAwE;QAC1E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,oCAAoC;QACzC,OAAO,EACL,gFAAgF;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,0CAA0C;QAC/C,OAAO,EAAE,6DAA6D;QACtE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0FAA0F;QAC5F,OAAO,EACL,oHAAoH;QACtH,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,iEAAiE;QACnE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,8GAA8G;QAChH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2EAA2E;QAC7E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,4DAA4D;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,wFAAwF;QAC1F,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACpE,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,kHAAkH;QACpH,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,8DAA8D;QAChE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,yEAAyE;QAC9E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wEAAwE;QAC1E,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,2DAA2D;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;CACF,CAAC"}

package/build/data/rules/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAU/C,eAAO,MAAM,UAAU,qCAStB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAW/C,eAAO,MAAM,UAAU,qCAUtB,CAAC"}

package/build/data/rules/index.js

@@ -1,19 +1,21 @@
 import { coreRules } from "./core.js";
 import { goRules } from "./go.js";
-import { javaRules } from "./java.js";
-import { phpRules } from "./php.js";
-import { rubyRules } from "./ruby.js";
 import { dockerfileRules } from "./dockerfile.js";
 import { cicdRules } from "./cicd.js";
 import { terraformRules } from "./terraform.js";
+import { nextjsRules } from "./nextjs.js";
+import { authRules } from "./auth.js";
+import { databaseRules } from "./database.js";
+import { deploymentRules } from "./deployment.js";
 export const owaspRules = [
     ...coreRules,
     ...goRules,
-    ...javaRules,
-    ...phpRules,
-    ...rubyRules,
     ...dockerfileRules,
     ...cicdRules,
     ...terraformRules,
+    ...nextjsRules,
+    ...authRules,
+    ...databaseRules,
+    ...deploymentRules,
 ];
 //# sourceMappingURL=index.js.map

package/build/data/rules/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,SAAS;IACZ,GAAG,QAAQ;IACX,GAAG,SAAS;IACZ,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;CAClB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;CACnB,CAAC"}

package/build/data/rules/nextjs.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const nextjsRules: SecurityRule[];
+//# sourceMappingURL=nextjs.d.ts.map

package/build/data/rules/nextjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,WAAW,EAAE,YAAY,EAkLrC,CAAC"}

package/build/data/rules/nextjs.js

@@ -0,0 +1,148 @@
+// Security rules for Next.js App Router patterns
+export const nextjsRules = [
+    {
+        id: "VG400",
+        name: "Client Component Secret Exposure",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Server-side environment variable accessed in a 'use client' component. These values are exposed to the browser. Only NEXT_PUBLIC_ variables are safe in client components.",
+        pattern: /["']use client["'][\s\S]*?process\.env\.(?!NEXT_PUBLIC_)\w+/g,
+        languages: ["javascript", "typescript"],
+        fix: "Move this logic to a Server Component or Server Action. Only process.env.NEXT_PUBLIC_* variables are available in client components.",
+        fixCode: '// Move to a Server Component (no \'use client\')\nexport default async function Page() {\n  const secret = process.env.SECRET_KEY;\n  return <ClientComponent data={safeData} />;\n}',
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG401",
+        name: "Server Action Missing Input Validation",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "Server Action processes form data without schema validation. Unvalidated input can lead to injection attacks.",
+        pattern: /["']use server["'][\s\S]{0,500}?formData\.get\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Validate all inputs with a schema library (zod, yup, valibot) before processing.",
+        fixCode: '"use server";\nimport { z } from "zod";\n\nconst schema = z.object({ name: z.string().min(1), email: z.string().email() });\n\nexport async function createUser(formData: FormData) {\n  const data = schema.parse(Object.fromEntries(formData));\n}',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG402",
+        name: "Server Action Missing Auth Check",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
+        pattern: /["']use server["'][\s\S]{0,200}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient)[\s\S])*?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Always verify authentication at the start of every Server Action.",
+        fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n  const { userId } = await auth();\n  if (!userId) throw new Error("Unauthorized");\n}',
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(d)"],
+    },
+    {
+        id: "VG403",
+        name: "Route Handler CORS Wildcard",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Route handler sets Access-Control-Allow-Origin to wildcard (*). This allows any website to make requests to your API.",
+        pattern: /(?:GET|POST|PUT|DELETE|PATCH|OPTIONS)\s*\([\s\S]*?["']Access-Control-Allow-Origin["']\s*[,:]\s*["']\*["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Restrict CORS to specific trusted origins instead of wildcard.",
+        fixCode: '// Restrict to specific origin\nconst allowedOrigin = process.env.ALLOWED_ORIGIN;\nreturn new Response(data, {\n  headers: { "Access-Control-Allow-Origin": allowedOrigin }\n});',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG404",
+        name: "Middleware Auth Bypass Risk",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Middleware or proxy has overly broad public path matcher that may accidentally expose protected routes.",
+        pattern: /(?:matcher|config)\s*[=:]\s*[\s\S]*?["']\/\(\.\*\)["']/g,
+        languages: ["javascript", "typescript"],
+        fix: "Use specific path matchers instead of catch-all patterns.",
+        fixCode: '// Be specific with matchers\nexport const config = {\n  matcher: ["/dashboard/:path*", "/api/:path*"]\n};',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG405",
+        name: "Missing Security Headers in Next Config",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
+        pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]*?return\s*\[[\s\S]*?\][\s\S]*?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add security headers in next.config.ts headers() function.",
+        fixCode: '// next.config.ts\nasync headers() {\n  return [{\n    source: "/(.*)",\n    headers: [\n      { key: "X-Frame-Options", value: "DENY" },\n      { key: "X-Content-Type-Options", value: "nosniff" },\n      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n    ]\n  }];\n}',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10"],
+    },
+    {
+        id: "VG406",
+        name: "Unsanitized Dynamic Route Params",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "Dynamic route parameters (params, searchParams) are used directly in database queries or operations without validation.",
+        pattern: /(?:params|searchParams)\s*[\.\[]\s*["']?\w+["']?\s*[\]\)]?\s*(?:;|\))\s*[\s\S]*?(?:query|execute|findUnique|findFirst|findMany|delete|update|create)\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Always validate and sanitize dynamic route parameters before using them in queries.",
+        fixCode: '// Validate params before use\nimport { z } from "zod";\nconst idSchema = z.string().uuid();\n\nexport default async function Page({ params }: { params: { id: string } }) {\n  const id = idSchema.parse((await params).id);\n  const item = await db.item.findUnique({ where: { id } });\n}',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG407",
+        name: "Server Data Leaked to Client Component",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Sensitive data (tokens, secrets, internal IDs) appears to be passed from server to client component as props.",
+        pattern: /(?:secret|token|password|apiKey|privateKey|internalId|ssn|creditCard)\s*=\s*\{[\s\S]*?\}/g,
+        languages: ["javascript", "typescript"],
+        fix: "Never pass sensitive data as props to client components. Keep secrets server-side.",
+        fixCode: "// Keep sensitive data server-side\nexport default async function Page() {\n  const secret = process.env.API_SECRET;\n  const publicData = await fetchData(secret);\n  return <ClientComponent data={publicData} />;\n}",
+        compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
+    },
+    {
+        id: "VG408",
+        name: "Unsafe innerHTML Usage",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "Using dangerouslySetInnerHTML renders unescaped HTML, which can lead to XSS if the content includes user input. This is a security rule detector — it flags vulnerable code patterns.",
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
+        languages: ["javascript", "typescript"],
+        fix: "Sanitize HTML with DOMPurify before rendering, or use a markdown renderer instead.",
+        fixCode: '// Use a sanitizer library\nimport DOMPurify from "dompurify";\nconst clean = DOMPurify.sanitize(content);\n\n// Or use a markdown renderer\nimport ReactMarkdown from "react-markdown";\n<ReactMarkdown>{content}</ReactMarkdown>',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG409",
+        name: "Open Redirect via User Input",
+        severity: "medium",
+        owasp: "A01:2025 Broken Access Control",
+        description: "redirect() or NextResponse.redirect() uses user-controlled input (searchParams, query) which can redirect users to malicious sites.",
+        pattern: /redirect\s*\(\s*(?:searchParams|params|req\.query|request\.url|url|query)\s*[\.\[]/g,
+        languages: ["javascript", "typescript"],
+        fix: "Validate redirect URLs against an allowlist of trusted domains.",
+        fixCode: '// Validate redirect URL\nconst ALLOWED_HOSTS = ["example.com"];\nconst target = searchParams.get("next") ?? "/";\ntry {\n  const url = new URL(target, request.url);\n  if (!ALLOWED_HOSTS.includes(url.hostname)) redirect("/");\n  redirect(url.pathname);\n} catch {\n  redirect("/");\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG410",
+        name: "Unauthorized Cache Revalidation",
+        severity: "medium",
+        owasp: "A01:2025 Broken Access Control",
+        description: "revalidateTag() or revalidatePath() is called in a route handler without authentication check. Anyone could trigger cache invalidation.",
+        pattern: /(?:GET|POST|PUT|DELETE)\s*\([\s\S]*?(?:revalidateTag|revalidatePath)\s*\([\s\S]*?(?![\s\S]*?(?:auth\s*\(|getServerSession|currentUser))/g,
+        languages: ["javascript", "typescript"],
+        fix: "Protect revalidation endpoints with authentication or a secret token.",
+        fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function POST(req: Request) {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  revalidateTag("posts");\n  return Response.json({ revalidated: true });\n}',
+        compliance: ["SOC2:CC6.6"],
+    },
+    {
+        id: "VG411",
+        name: "NEXT_PUBLIC_ Secret Leak",
+        severity: "critical",
+        owasp: "A07:2025 Sensitive Data Exposure",
+        description: "Environment variable prefixed with NEXT_PUBLIC_ contains a secret keyword (SECRET, KEY, PASSWORD, TOKEN). NEXT_PUBLIC_ variables are embedded in the client bundle and visible to anyone.",
+        pattern: /NEXT_PUBLIC_\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
+        languages: ["javascript", "typescript", "shell"],
+        fix: "Remove NEXT_PUBLIC_ prefix from secret variables. Access them only server-side.",
+        fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_SECRET_KEY=sk_live_xxx\n\n# .env.local — CORRECT\nSECRET_KEY=sk_live_xxx\n# Access server-side only: process.env.SECRET_KEY",
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
+    },
+];
+//# sourceMappingURL=nextjs.js.map

package/build/data/rules/nextjs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,8DAA8D;QACvE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,qDAAqD;QACvD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,sPAAsP;QACxP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EACL,2KAA2K;QAC7K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mEAAmE;QACxE,OAAO,EACL,uMAAuM;QACzM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uHAAuH;QACzH,OAAO,EACL,4GAA4G;QAC9G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gEAAgE;QACrE,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yGAAyG;QAC3G,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,4GAA4G;QAC9G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0HAA0H;QAC5H,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EACL,4JAA4J;QAC9J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,2FAA2F;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,yNAAyN;QAC3N,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uLAAuL;QACzL,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oOAAoO;QACtO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qIAAqI;QACvI,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yIAAyI;QAC3I,OAAO,EACL,0IAA0I;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,oRAAoR;QACtR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2LAA2L;QAC7L,OAAO,EACL,2EAA2E;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;CACF,CAAC"}